Firefox 37 Update Includes 'Opportunistic Encryption' And Other Security Improvements
Mozilla released version 37 of its Firefox browser to the stable channel. The company updates its browser on a six weeks schedule, just like Google.
The new version seems to be mainly about new security improvements and fixes, which comes at an ideal time, considering Firefox didn't do so well in the Pwn2Own browser security competition. Although Firefox finished among the last at Pwn2Own, Mozilla updated the browser quite quickly afterwards with the fixes for the vulnerabilities found by the security researchers attending the contest.
One of the bigger security features added to Firefox 37 is "opportunistic encryption" for servers and sites that support "HTTP/2 AltSvc." This allows Firefox to encrypt the traffic without having to authenticate it. This is better than no encryption at all, but still worse than authenticated encryption.
Unlike authenticated encryption (HTTPS), opportunistic encryption doesn't protect against active "man-in-the-middle" attacks. It only protects against passive (dragnet) surveillance (which is still of major benefit to most users).
Mozilla also added the OneCRL list of revoked certificates in Firefox 37, which is a feature similar to Chrome's CRLset. If a security incident requires the revocation of a certificate, then Mozilla can update its browser to disallow the forged certificate from being used.
The new Firefox also supports encrypted Bing search. While Google adopted HTTPS by default for its search engine years ago, Microsoft added optional encryption for Bing only last year, although recently the company made it mandatory, as well. Now, all Bing searches will be encrypted by default.
Mozilla also made some changes to the way the TLS encryption works in its browser:
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Disabled insecure TLS version fallback for site securityExtended SSL error reporting for reporting non-certificate errorsTLS False Start optimization now requires a cipher suite using AEAD constructionImproved certificate and TLS communication security by removing support for DSA
Other features in Firefox 37 include Mozilla making Yandex the default search engine for Turkey, as well as adding its new Heartbeat feedback system into the browser. The Heartbeat system will randomly show some users a widget asking for a rating. Mozilla will then try to either improve or nurture the relationship with its users, depending on the ratings they give.
Follow us @tomshardware, on Facebook and on Google+.
-
srap Few things have changed since the landing of Australis, so no idea what you complain about.Reply -
Allen Millington Few things have changed since the landing of Australis, so no idea what you complain about.
First, the change to the keyworkd.url behavior was terrible; I remedied by the extension keyword search. Australis is nearly bad enough to made me switch browsers. The revamp of the search was the final straw. It was completely broken for one of the versions of firefox too, both on my desktop and my friend's computer. I've since switched to pale moon (old UI on LTS firefox) and chrome. Not planning on returning to stock firefox anytime soon. -
tekelymailcom Not present in the article: HTML5 playback of youtube videos now support more resolutions (before only 360p and 720p)Reply -
firefoxx04 When they changed the search bar to include all sorts of search engines it pissed me off. Its fine to have to manually set one desktop to google only (and turn off bing, yahoo, and the other garbage) but when you have to do an entire household at random it becomes annoying.Reply
Almost switched to Chrome but remembered how rubbish Chrome is too. -
Christopher1 Updating firefox isn't worth the constant ui revamps.
Comments like yours aren't worth reading. There are not 'constant revamps', there are constant minor tweaks since version 20.
-
aweg Wow, article about web encryption yet I get an error on https://tomshardware.com:Reply
www.tomshardware.com uses an invalid security certificate.
The certificate is only valid for the following names:
*.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net
(Error code: ssl_error_bad_cert_domain)